An easier (and more secure) way, surely, is to use one-way encryption... and if a user forgets his/her password, replace it with a random alphanumeric string and mail that to them instead with instructions to change it to one of their own choosing as soon as possible.
Mike ----- Original Message ----- From: "Michael Collins" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, August 11, 2002 5:25 PM Subject: Need reversible encryption as string > > I want to securely store a value that is used as a password to log > someone into a Web application. I also want to be able to allow the > user to search for their email address and have their password sent > back to them (in readable form). Encrypt, MD5, and Password are > non-reversible and thus will not work for my needs. > > The Encode function creates a value that is stored as binary. It > seems that I cannot do a match type search, but I have to convert the > stored password on each row as follows: > > SELECT * FROM MYDB > WHERE EmailAddress=$EmailEntered AND > DECODE(LoginPassword,'MySalt')=$PasswordEntered > > I would think that using the SQL shown would require a table scan, > meaning that each and every record in the visitors table must be > examined, the LoginPassword decoded and compared. There is also no > way to index this field. I do not think this is the best solution > after adding 100,000 records. > > I see that MySQL 4 offers AES_ENCRYPT() and AES_DECRYPT(), will this > offer a solution? I believe this will allow me to store the password > as a string of characters (and not binary data) so that a match can > be made without having to decode the password, since I can decode > what is entered by the user using the same salt and compare the two > encrypted strings. > > SELECT * FROM MYDB > WHERE EmailAddress=$EmailEntered AND > LoginPassword=DECODE($PasswordEntered,'MySalt') > > The decrypt process would only be used when needing to send the > result back to the user. > > Am I understanding this correctly? > > -- > Michael > __ > ||| Michael Collins ||| > ||| Kuwago Inc ||| mailto:[EMAIL PROTECTED] > ||| Seattle, WA, USA ||| http://www.lassodev.com > > --------------------------------------------------------------------- > Before posting, please check: > http://www.mysql.com/manual.php (the manual) > http://lists.mysql.com/ (the list archive) > > To request this thread, e-mail <[EMAIL PROTECTED]> > To unsubscribe, e-mail <[EMAIL PROTECTED]> > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php > > --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
